Re: questions about Qubes-os
67 views
Skip to first unread message
Andrew David Wong
Nov 6, 2016, 9:49:00 PM11/6/16
to trash, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2016-11-06 11:36, trash wrote:
> Good Evening
>
> The last week I've read something very interesting about Qubes-os in a French magazine. I've tested it for several days and it remains some important questions.
> I sent a mail to benba...@idpresse.com who told me contact you for further explanations.
> That's what I'm doing.
>
Hello Dom,
Thank you for your interest in Qubes! Just so you know, we like to have (non-private) Qubes discussions on our mailing lists. This allows other knowledgeable people from the community to chime in and allows information to be shared with everyone. It also makes the discussion searchable for other people in the future. So, I'm CCing our qubes-users mailing list in my reply (please keep this address CCed if you reply).
You can read more about our mailing lists here: https://www.qubes-os.org/mailing-lists/
>
> 1/ How could I use ssh to manage qubes-os ( not secure but may be useful sometimes).
>
If you mean from dom0, then this currently breaks the Qubes security model, which entails that dom0 has no network access. (Remote management is planned for the future.) It might currently be possible, but it's not supported. This has come up on the MLs a number of times in the past, so you might consider doing some searches and reading through the results of others' attempts.
> 2/ When I create a "black default vm, ican see in parameters that networking is not allowed, but between a "green" one and a "blue " one I cant find any differences. So Is it me who decide I will surf only on save sites with a "blue vm" or are there some parameters modified by the system (iptables for example). It's not very clear to me.
>
Yes, you ultimately get to decide what the colors means. When you create a new VM of any color (including black), there are no pre-configured differences based on that color. The color is merely a label. (I suspect that you examined the properties of an existing black VM, perhaps the "vault" created during installation.)
By default, the assumption is that black is the most trusted color, while red is the least trusted. But you're free to overturn this assumption if you wish.
> 3/ I can connect my synology and manage my shares directories via my web browser but not via
> nautilus (or others ) with the command smb://192.168.X.Y:aaaa
> (I'm asking for login/password but after, I can't access my shared directories/files ).
>
I'm not sure about this one, as I don't use a Synology product. This sounds like it's probably not Qubes-specific, but perhaps rather a Samba/Fedora issue. Maybe someone else can shed light here.
> 4/ And the most important, about the firewall:
>
> One vm +"deny network access exept " no Internet link -->normal
>
> One vm +"deny......exept 192.168.X.Y:aaaa --> connection on the nas Synology -->normal
>
> One vm +"deny.....exept * -->openbar-->normal
>
> One vm + "deny....exept phoenixjp.com --> I can connect the site but can't reach the further links. It seems to be normal but not suitable for me.
>
> how coulld I solve this problem if I want to access http, https, ftp
>
> Be sure I've surfed on many sites trying to find clues, but without many success.
>
It sounds like you want to allow connections on all protocols to the entire IP range or CIDR block associated with that domain.
Take a look at the documentation here:
https://www.qubes-os.org/doc/qubes-firewall/
The comments in this issue might also be relevant or helpful to you:
https://github.com/QubesOS/qubes-issues/issues/879
> You're certainly the people able to help, It seems to me that a Qubes-os well mastered could be very secured for my network. Actually I can see the amount of possibilities but cant master the essential security parameters to use it in "production" (my home network).
>
> At any rate, very good job
>
> Best regards
>
> Dom Courtiol
>
Thanks! Welcome to Qubes!
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYH+uPAAoJENtN07w5UDAw6KAQAMNG60VYyopHWlmZOxBVvzqg
/v15OWnwzvM5Mr0QDlOYYwJLE2qUOWL2n91sQWt/5BQ2FeHhBwf8KlSZOpKjNJi0
oRmuXsxrhJczvEDrygdLY/cuqYPwCSHUJQhYgZQK1792D+lMcnea+xAmH8D4nrFZ
Wr9xjCo7sGalijfrOY0tJpXCBsDc4uOzxJaE94yWtakK/vnK/Um5SfEx66wcT5xl
HHcKNAwHWzWraIXItdP++VOH5997dmp8Z0KjefuLFm03CnTy51Jks3AcxvUpGf2A
fLjzQEW1Yg19Rda7DJuP+u4RI9MKjZzPzrXzBRazzQaSc5nXoKj7TUgxJRfAwPsu
G2KH2EhToK0djNpuQEFOXkBRxQ8InqvfQbaQuTN1NdUT3FoSJIYyCzwDMTjF7Q5Q
+YuIpCVj9vCpYifkBWb4fTboia/2xkFRH+CQ31NguNC7hZYOq+RaWXtwyVWS3tq2
lKyq/JU04GrcRJ2l7XjyAMM91zerq14PUz4APO7fyZeI4UOTm++O98ySgfMwxMPj
QXWdJzlbzOoyDfOIYoqx8du58AQ10hVVEvVhU+jEClEwI5Obi6CEW4b2shM7sZXp
aCS047exJm9lhObnu2cbUOdwNkbO6j7lWx+Gqb4RFcGsCEbEL15Zh8a6tusyDWEB
fqTi7K1kMSxo4DZZbLcI
=ypJD
-----END PGP SIGNATURE-----
Hash: SHA512
On 2016-11-06 11:36, trash wrote:
> Good Evening
>
> The last week I've read something very interesting about Qubes-os in a French magazine. I've tested it for several days and it remains some important questions.
> I sent a mail to benba...@idpresse.com who told me contact you for further explanations.
> That's what I'm doing.
>
Hello Dom,
Thank you for your interest in Qubes! Just so you know, we like to have (non-private) Qubes discussions on our mailing lists. This allows other knowledgeable people from the community to chime in and allows information to be shared with everyone. It also makes the discussion searchable for other people in the future. So, I'm CCing our qubes-users mailing list in my reply (please keep this address CCed if you reply).
You can read more about our mailing lists here: https://www.qubes-os.org/mailing-lists/
>
> 1/ How could I use ssh to manage qubes-os ( not secure but may be useful sometimes).
>
If you mean from dom0, then this currently breaks the Qubes security model, which entails that dom0 has no network access. (Remote management is planned for the future.) It might currently be possible, but it's not supported. This has come up on the MLs a number of times in the past, so you might consider doing some searches and reading through the results of others' attempts.
> 2/ When I create a "black default vm, ican see in parameters that networking is not allowed, but between a "green" one and a "blue " one I cant find any differences. So Is it me who decide I will surf only on save sites with a "blue vm" or are there some parameters modified by the system (iptables for example). It's not very clear to me.
>
Yes, you ultimately get to decide what the colors means. When you create a new VM of any color (including black), there are no pre-configured differences based on that color. The color is merely a label. (I suspect that you examined the properties of an existing black VM, perhaps the "vault" created during installation.)
By default, the assumption is that black is the most trusted color, while red is the least trusted. But you're free to overturn this assumption if you wish.
> 3/ I can connect my synology and manage my shares directories via my web browser but not via
> nautilus (or others ) with the command smb://192.168.X.Y:aaaa
> (I'm asking for login/password but after, I can't access my shared directories/files ).
>
I'm not sure about this one, as I don't use a Synology product. This sounds like it's probably not Qubes-specific, but perhaps rather a Samba/Fedora issue. Maybe someone else can shed light here.
> 4/ And the most important, about the firewall:
>
> One vm +"deny network access exept " no Internet link -->normal
>
> One vm +"deny......exept 192.168.X.Y:aaaa --> connection on the nas Synology -->normal
>
> One vm +"deny.....exept * -->openbar-->normal
>
> One vm + "deny....exept phoenixjp.com --> I can connect the site but can't reach the further links. It seems to be normal but not suitable for me.
>
> how coulld I solve this problem if I want to access http, https, ftp
>
> Be sure I've surfed on many sites trying to find clues, but without many success.
>
It sounds like you want to allow connections on all protocols to the entire IP range or CIDR block associated with that domain.
Take a look at the documentation here:
https://www.qubes-os.org/doc/qubes-firewall/
The comments in this issue might also be relevant or helpful to you:
https://github.com/QubesOS/qubes-issues/issues/879
> You're certainly the people able to help, It seems to me that a Qubes-os well mastered could be very secured for my network. Actually I can see the amount of possibilities but cant master the essential security parameters to use it in "production" (my home network).
>
> At any rate, very good job
>
> Best regards
>
> Dom Courtiol
>
Thanks! Welcome to Qubes!
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYH+uPAAoJENtN07w5UDAw6KAQAMNG60VYyopHWlmZOxBVvzqg
/v15OWnwzvM5Mr0QDlOYYwJLE2qUOWL2n91sQWt/5BQ2FeHhBwf8KlSZOpKjNJi0
oRmuXsxrhJczvEDrygdLY/cuqYPwCSHUJQhYgZQK1792D+lMcnea+xAmH8D4nrFZ
Wr9xjCo7sGalijfrOY0tJpXCBsDc4uOzxJaE94yWtakK/vnK/Um5SfEx66wcT5xl
HHcKNAwHWzWraIXItdP++VOH5997dmp8Z0KjefuLFm03CnTy51Jks3AcxvUpGf2A
fLjzQEW1Yg19Rda7DJuP+u4RI9MKjZzPzrXzBRazzQaSc5nXoKj7TUgxJRfAwPsu
G2KH2EhToK0djNpuQEFOXkBRxQ8InqvfQbaQuTN1NdUT3FoSJIYyCzwDMTjF7Q5Q
+YuIpCVj9vCpYifkBWb4fTboia/2xkFRH+CQ31NguNC7hZYOq+RaWXtwyVWS3tq2
lKyq/JU04GrcRJ2l7XjyAMM91zerq14PUz4APO7fyZeI4UOTm++O98ySgfMwxMPj
QXWdJzlbzOoyDfOIYoqx8du58AQ10hVVEvVhU+jEClEwI5Obi6CEW4b2shM7sZXp
aCS047exJm9lhObnu2cbUOdwNkbO6j7lWx+Gqb4RFcGsCEbEL15Zh8a6tusyDWEB
fqTi7K1kMSxo4DZZbLcI
=ypJD
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages